Thousands of privacy breaches going unreported

Asher Moses

There has been a 27 per cent jump in the number of incidents of stolen or lost personal information reported to the Privacy Commissioner in the past year but inadequate laws mean thousands of incidents go unreported.

At a seminar held this morning by the International Association of Privacy Professionals, the Privacy Commissioner, Timothy Pilgrim, revealed his office had received 56 data breach notifications in the year to June 30 - up from 44 in the previous year.

However, Pilgrim warned that this only included responsible companies that voluntarily owned up to losing personal information as the government had failed to introduce mandatory data breach notification laws.

The worst offenders often got away with little accountability and forensic investigators say almost all incidents they investigate on behalf of companies are not made public.

"We simply don't know the extent of data breaches that go on," Pilgrim said, adding that he believed there were many that went unreported given the millions of transactions Australians engage in each day.

Pilgrim also revealed his office had opened 59 "own motion" investigations in the past year - usually following media reports of privacy breaches. This includes investigations into Google, Telstra, Vodafone, Dell, Sony and most recently Medvet, which inadvertently left its order system for paternity and drug tests open to be accessed via search engines.

Advertisement

Data breaches cost companies about $2 million per incident, according to Symantec, and individuals who lose personal data often become targets of identity fraud and other attacks.

Following the recent Sony breach the Home Affairs Minister, Brendan O'Connor, said a mandatory data breach notification law "appears necessary", but he has yet to follow through.

Privacy experts have long been critical of Australia's privacy regime as the Privacy Commissioner has no powers to seriously penalise companies for breaching privacy laws or even to force them to improve the security of their systems.

"Even if the matter is subject to federal law, it is unlikely that the Australian Privacy Commissioner will take any useful action," said Roger Clarke, chair of the Australian Privacy Foundation

"His track record, when reporting on such matters, has been to protect the organisation that has broken the law, rather than protecting the people whose privacy has been threatened."

Nigel Waters, a privacy consultant who has previously held the positions of Deputy Federal Privacy Commissioner and Assistant UK Data Protection Registrar, said the number of unreported breaches would easily number in the "thousands" each year.

"It's beyond credibility that it isn't happening on a regular basis with many many businesses ... we can't just rely on the voluntary [notification] scheme," he said.

"The government has dragged its feet. I don't think there's any excuse for not acting on this. Data breach notification laws are needed, it's not that difficult ... [they] should be brought forward in the privacy reform schedule."

Since 2009 the federal government has been sitting on a recommendation from the Australian Law Reform Commission (ALRC) that mandatory data breach laws be introduced. This was one of 295 privacy reform recommendations the ALRC delivered; the government has responded to 197 of them in October 2009 but the Privacy Act has yet to be updated.

The federal government reacted to recent privacy breaches at News International in Britain with plans to bring forward discussions on a statutory right to privacy - giving people the right to sue for privacy breaches.

However, it has yet to raise mandatory data breach notification laws as an issue despite a string of recent privacy breaches. Over 70 million Sony PlayStation Network accounts globally were compromised, while Vodafone's security was so poor that customer information could be accessed on the internet.

Pilgrim said he was "hearing discussions happening within government and elsewhere about whether or not that consideration [mandatory data breach laws] should be brought forward".

Such laws have for quite some time existed in the US, Japan, Germany, Spain, Norway and Austria, according to Waters. The European Union agreed on mandatory notification laws for telcos and ISPs in 2009 and they have just taken effect in July.

Pilgrim has long supported mandatory data breach notifications saying "it's a useful tool that is going to give people the ability to have a greater understanding of what's happening to their information particularly if something goes wrong with it."

Critics of the changes - typically big businesses fearful of the reputational damage that mandatory notifications could cause - argue there are already some protections for consumers in the Privacy Act and that organisations could incriminate themselves if notifications were mandatory.

Pilgrim said he expected to eventually receive new powers that would allow him to seek enforceable undertakings and civil penalties through the courts from companies that breach privacy laws.

"It's been identified that the office does not have significant powers to cover all aspects of matters brought to us ... we do have powers to resolve an individual complaint which may end up leading to a formal determination although I acknowledge there's been very few of those in the life of the Act," he said.

Pilgrim added that today most privacy complaints were resolved through a "conciliation process" and about 20 per cent of complaints were resolved with the payment of some sort of financial compensation.

"The majority of people are not looking for money ... they want to see an organisation take steps to resolve the matter," he said.

But even then, in the case of own motion investigations, Pilgrim acknowledged that he had no powers to force an organisation to do anything to improve or change its systems. In some cases Pilgrim has been able to get the company to agree to implement changes, such as Google following revelations it collected personal data from home Wi-Fi networks.

James Kelaher, a data protection expert who has advised the federal government on such matters, said the current privacy regime "does very little to protect people".